New MyDoom.M worm NOD32 detects it via Heuritics.

Discussion in 'NOD32 version 2 Forum' started by tempnexus, Feb 16, 2005.

Thread Status:
Not open for further replies.
  1. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    BUt it only gets the worm payload, not the trojan one.

    I sumbitted the attachment.

    so don't open anything that says attachment.zip which contains an .htm file and the file icon looks like that nice old MSDOS icon. :)

    CHeers,

    oh yeah AH must be enabled and the worm must be unpacked or ranned in order to be detected. (you can safely download the file without NOD giving a peep).
     
  2. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Symantec responded with Emergency DEFS update. (full blown detection)

    McAFFE responded 5 hours ago. (full blown detection)

    KAV detected it with Monday's DEFS.

    Etrust responded with a full blown detection.

    ClamAV responded with a full blow detection.

    F-Prot full blown detection.

    NOD32 still Heuritic only.

    The worm is now Category 3.
     
  3. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Ok Symantec has done a full analysis of the threat.
    http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html

    Time is ticking so far the response of NOd32 is not soo great come on guys/gals.

    I've sent the strain at 4 pm it's 12:16 am now so that's 8 hours from my submission.
    McAffe has update it at Noon.
    Norton at 7:30
    So so far we are about 5 hours behind norton and counting.

    I know it detected the first one via heuritics but it did not nail the trojan.

    Now this has become more of a test of response time then heuritics time. We have a category 3 worm spreading and so far no solid defs are present.

    Make it 2:30 am, 10.5 hours. SO I guess Nod32 does not have an Emergency response team after 5 pm? EST
     
    Last edited: Feb 17, 2005
  4. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    The def file may not be updated yet, but I can bet money that NOD wouldnt let it infect your computer if you tried. Thats the wonderful thing about it. Everybody has to frantically update their def files so they can detect it to, NOD catches it and prevents it without having the def updated. :D
     
  5. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Yes but what about a scenario where NOD's heuritics fails to detect it (it happens a lot...not as much now (since the last update of advheuri) but it still happens.). In that case you have to count on Response time of NOD's definitions. If they are slow then your friend with Norton, KAV, Mcaffe, Bitdefender, clam will be protected and you be exposed.
     
  6. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Last edited: Feb 17, 2005
  7. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Hi,

    Well I agree with you. I love Nod and I guess because it detects the file with heuristics there is not such a rush to get defs out.

    Although I bet there are people who have AH disabled so still think that defs are very important and should be released quickly. I am sure if AH did not detect Nod would have been one of the first to get Defs out.

    I have full AH enabled here though :)

    Cheers

    Jlo
     
  8. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Indeed this Mydoom isn't a new variant. It's only the Win32/Mydoom.R but packed with MEW and not UPX. But because AH uses a "generic unpacker", NOD was able to detect this repacked variant. Anyway, as from 1.1000, Eset added via signature Win32/Mydoom.AW.


     
  9. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Nope 1.1000 did not detect the variant since I had 1.1000 and it was detected via AH. It was detected with today's update (1.1001) as Mydoom.R.

    So it took them a day to add it. Quite slow for a level 3 worm.


    When ranned in my VM the only detection I got was via AH, with AH OFF my VM got fully infected.
     
  10. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Great to see NOD's AH, which is set on by default in IMON, detected this at the zero-hour before other AVs could get their definitions out and the end user got around to updating their definitions for their AV.
     
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    Great work Eset![​IMG]
     
  12. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Yeap but KAV also got it with Monday's defs.

    If you got it via e-mail and your e-mail is IMAP and you are useing firbird to read it then IMON would not get it. AT least it did not happen in my occasion. So with IMON gone and AMON set without AH then the user would still get infected.

    SO in the end we need a lot quicker response for a high level infections. (at least faster then 1 day, others responded in less then 2 hours)
     
  13. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    For my end it is still good that NOD's AH detected this before the others AVs.

    The Advance Heuristic is one of the main reasons I use NOD for zero-day protection while with other AVs there is a wait time for the definitions
    which may be too late for someone no matter how fast they get them out.

    They should set AH on in AMON by default like it is in IMON. I find no slow down with AH set on in AMON.
     
  14. Gauthreau

    Gauthreau Guest

    AH are great, but they are in no way a reliable substitute for proven signatures. NOD should be working on faster response times for their defs rather than sitting on their AH laurels. Prompt service is still a major part of any vendor/consumer game.

    Neil
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Advanced heuristics is highly reliable in the case of worms. I would say there's less than 0,001% probability of getting an unsolicited email with attachment which AH would evaluate falsely as a probable virus.
     
  16. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Advanced heuristics is highly reliable in backdoors too.

     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    This is nice to know Marcos, thank you.

    Cheers :D
     
  18. Ok then let's flip the coin.
    With NOd32 response time lacking, then what is the probability of AH evaluating an positive viral (non definitions) unsolicited email as a virus?
     
  19. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    I have NOD on one machine, a KAV AV on two machines and one of the free AVs on a fourth machine.

    Even though NOD was a bit slow getting the definition out on this one, that was already detected by AH, I have found they are pretty quick getting the
    definitions out for high level infections. Sometimes even faster the KAV

    Example:
    https://www.wilderssecurity.com/showthread.php?t=42010

    NOD's AH has worked well on my end.
    https://www.wilderssecurity.com/showthread.php?t=58482
     
  20. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    By the same token some of the other AVs should stop resting on their laurels
    with just definitions and no or poor heuristics and start improving their heuristics for better zero-day protection like NOD.

    No matter how fast an AV can react there is still a wait time until
    the definitions are released and the end user has updated.

    I much rather see a zero-day high level infection stopped at the onset
    like NOD has done a number of times on my end.
     
  21. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Tell that to the hundreds of Exchange admins who had to explain to the CEO that their "high-end" AV didn't catch the latest Bagle/MyDoom/Netsky worm at the door, and a bunch of clients were infected--"but hey boss, at least we got the signature within 3 hours!"
    ;)
     
  22. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Old worm - different packer: new version is the same worm only only packed with a different packer - this time it was MEW, whereas in the summer it was UPX.

    Just FYI ;)

    regards,

    paul
     
  23. Gauthreau

    Gauthreau Guest

    You guys have really missed the point. Many people, such as the NOD users here, tend to rally around posts like this one and other ones that tout how great the AH were in stopping x virus, but forget about the other posts on this board about viruses that HAVE slipped pasted NOD's AH. Therein lays the problem. Thinking like this makes us realize that there is a dark figure - how many viruses go undetected because of complacency in relying on AH to find a virus on your machine. Examples:

    1. https://www.wilderssecurity.com/showthread.php?t=55903&highlight=missed
    2. https://www.wilderssecurity.com/showthread.php?t=43614&highlight=missed
    3. https://www.wilderssecurity.com/showthread.php?t=31324&highlight=missed

    Don't get me wrong, NOD's AH are the best in the business, BUT AH are only part of the solution. Proven signatures provided in a quick manor are the other part of the total solution. I realize that 'quick' is a relative thing, but we can all agree on a week later as not being classified as 'quick'. We can reply with anecdotal quips like "but hey boss, at least we got the signature within 3 hours!" and ignore the idea of running a virus for a WEEK before getting an update only to find out then that your system is infected. I assure you no boss would want to hear that either. A backdoor giving access to protected information is not something that anyone wants. But, hey, get complacent and rely on AH.

    Obviously there are many users who agree with me to some extent on this point, as many here run a secondary AV as well as AT software. This isn't a knock against NOD, but rather a recognition that it isn't going to get them all, regardless of how great the AH are. That is the nature of the beast. Quick response time can only make the product better; complacency will only make it worse.

    Neil
     
  24. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    I currently run NOD on one machine, F-Secure on two machines and
    one of the free AVs on a fourth machine.

    Even KAV can be late getting the definitions out on a high level threat.
    https://www.wilderssecurity.com/showthread.php?t=42010

    It has been my overall experience that NOD does a good job with the
    definitions.
    http://www.nod32.com/scriptless/support/info.htm

    What I am saying is that you need both definitions and good heuristics
    for the best overall protection.

    From what I have seen is some AV pretty much rest upon their definitions and have not developed a quality heuristics to provide that additional security level for their customers with a zero-day defense.

    From using the above posted AVs and others, no matter how fast the
    definitions are released it is always going to be too late for some of
    their customers. A good heuristics detection like NOD's AH can only
    make their product better.
     
  25. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    I think we can all agree that timely defs are imperative--I'm certainly not arguing that. I think, however, that you will find that as a rule, NOD adds detections for new malware very quickly. I think, also, that most users--rather than being described (innaccurately in my opinion) as complacent while having the protection of AH--appreciate it as a very strong component of an already very formidable virus defense.

    Avast! is another up and comer in this area, and kudos to them.

    The point I believe you are missing, is that all AV's will sometimes miss a virus because they don't have the definition. NOD32 misses many fewer because of IMON's AH--and catches almost all of the zero-day worms--and a lot of other malware--before most other AV companies can issue a def. Those aren't anecdotal quips--they're being proven time and time again in labs and in the real world.

    ;)
     
Thread Status:
Not open for further replies.